ROCK on NUC - Network file sharing a security risk?

Hi. I am running ROCK on a NUC. It has performed flawlessly until a week or two ago, I noticed that ROCK dissapeared from my network so I was unable to transfer music to the internal HD. Eventually I figured out what I think the issue is. I am running Windows 10 on the laptop that I am using to transfer my music to ROCK. I believe Microsoft at some point disabled SMB1 sharing claiming that it is a security issue. Once I re-enabled it, the ROCK reappeared. I am not tech savy enough to understand the security risks, but the fact that Microsoft views it as an issue is reason enough for me to be concerned.

When I tried to connect to the ROCK, I got this error:

“You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: Bing

When I reenabled the SMB1 protocol, the ROCK reappeared and I was able to move music to it again. So, my question is- is it on the roadmap for ROCK to change to SMB2 which Microsoft says is secure? Or, is this blown out of proportion?

Let’s tag @support to follow up on this.

There is no plan to move to SMB2 for the time being. This security thing mostly applies in an enterprise situation. Most people do not even run home SMB with a password.

Thanks for your prompt response. I do not know enough about SMB to know what is or isn’t best practice regarding security. I can tell you that at home I run my wifi encrypted, with SSID hidden and use MAC Filtering to keep intruders out. That is about all I know how to do as far as security. Hopefully it does not matter whether ROCK is sharing on SMB1 or SMB2 assuming the entire network is secure? Regardless, iIf you are comfortable that continuing to use SMB1 doesn’t put us at risk, then I will take your word for it. Thanks again!

Your wireless security is more than most would do…some still don’t run any security on their ssid, never mind hiding it or using MAC filtering.

Home environment must sometimes bow to use the lowest common denominator for file sharing etc as legacy devices will struggle otherwise.

I’m not sure what you mean by “this security thing.” From what I read, Windows has had “SMBv2” since Vista (that’s the client version, or “situation”), which is ancient history. Windows has had “SMBv3” since Windows8 (again, client), which is maybe 4 years old. These protocols cannot be turned off except by explicit action, so I assume that most Windows users do employ those protocols.

“Most people do not even run home SMB with a password.”

It’s harder to evaluate this statement. I for one use authentication by id/password. If it is true that most people have no such authentication, that’s really bad practice. To my mind, Roon shouldn’t be encouraging that practice by offering no secure alternatives (that is, some kind of authentication).

Mind you, it’s too late now for Roon to make a secure alternative the default (too many installations, too much disruption), but Roon would be better in offering a secure alternative, a choice, an opt-in.

…And that is the problem. The way to look at it is that anyone clever enough to break into and access your home network will not be troubled by your ‘security’ measures:
wifi encyption can be cracked easily or bypassed
MAC addresses can be spoofed
ISP routers are notoriously cheap nasty insecure (and often unsecured) things

And if they get in the first thing they will do is take over your router and turn all the security off. In a home environment I would be worried about them stealing all my online banking details and passwords, not accessing ROCK to copy some of my music. Enterprise security is a whole different ball game though involving ‘defence in depth’. Multiple layers of security so that even if you can get in undetected, you can’t get at anything.

My WIN 10 has just had the Fall Creators Update and is still able to access ROCK shares. They could have turned this on as a security update though, but the fuss over SMB1 was some time ago and likely to have been done before this update.

It sounds like your system went through the Windows 10 Fall Creators Update, because that tightened SMB use (see https://support.microsoft.com/en-us/help/4034314/smbv1-is-not-installed-windows-10-and-windows-server-version-1709). As you found, you can undo the tightening. That’s not something I’d do unless I had no alternative; but Roon seems to offer no alternative.

Roon ought to at least tell Microsoft it uses SMB1 and has no plans to go to SMB2. For that purpose, refer to https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/.

It’s way beyond time that this was addressed. It currently seems a strong reason not to use Rock.

While SMBv1 is deprecated technology, I don’t think I would go so far as to say it is a showstopper.

SMB v3 has been requested a number of times in the Roon OS 2.0 thread, so perhaps it may finally arrive.

Agreed, that is an issue, if your organisation locks down your work PC and you can’t do filesharing with it to your Nucleus or ROCK/PC. I’m in the fortunate position that while I have work accounts on my PC, the organisations that they belong to do not manage my PC - it remains mine.

Ha, was just about to reply to this thread when I saw that I already had, 5 years ago! So the question is how many ROCK/Nucleus users have had SMB1 vulnerabilities taken advantage of by hackers or a virus?

The joys of locked down systems.

Nucleus uses ROCK, so most probably it does.

I think lighter, easier and turn key are already very diminished returns, especially if it works only on certain hardware. Installing core on Linux or Windows should not be harder than flashing ROCK.

While yeah it should support SMB2/3, enterprise deployments are hardly the Roon target demographic

But it is, and maintaining the OS long-term is yet another level. (I know you don’t agree with that, but I am convinced that this is because you are too good with computers)

(It is, however, mildly amusing that some people think the Nucleus “sounds” better after deploying one of the most chattiest network protocols on the planet. There is something to that network noise after all )

I misinterpreted the size, but it’s still a business and while I appreciate that many business owners will run it in their office, it’s probably still not the main target market.
(In a simple home network, if there is ransomware on the network they have lost already. SMB1 on the ROCK won’t change that much).

But I agree that something better should be added in 2.0

Yeah, definitely, even if only because enabling it is getting more and more difficult or soon even impossible, as you say.
We know that Roon are working on RoonOS 2.0 and I’ll be very surprised if this isn’t addressed. Maybe it should have happened earlier.

I have not had to enable SMB1 to connect to a ROCK share in Windows 10. But previously I have had to open up the passwordless guest account access to remote shares in SMB2/3 in Windows in order to connect to a ROCK share.

To avoid the problem of enabling guest account access for shares in Windows I have mounted my ROCK\DATA share on my NAS, then I connect to the NAS mounted share in Windows. This means I do not have to enable SMB1 in Windows or enable guest access.

My NAS does not use SMB1, and yet it can also connect to the ROCK\DATA share directly.

image808×333 17.4 KB

So are we sure SMB 1 actually is a requirement to connect to ROCK\DATA?

Yeah maybe, Ive tried to restrict it to SMB2/3 though as you can see from the screen grab above. Do you know what other protocols ROCK supports? It must support at least one of the protocols my NAS is able to use?